Question { 4986 }

An organization is considering connecting a critical
PC-based system to the Internet. Which of the following
would provide the BEST protection against hacking?

A. An application-level gateway

B. A remote access server

C. A proxy server

D. Port scanning

Answer

The Correct answer is A
A. An application-level gateway is the best way to protect against hacking because it can be configured with detailed rules that describe the type of user or connection that is or is not permitted. It analyzes, in detail, each package—not only in layers one through four of the Open System Interconnection (OSI) model, but also layers five through seven, which means that it reviews the commands of each higher-level protocol (Hypertext Transmission Protocol [HTTP], File Transfer Protocol [FTP], Simple Network Management Protocol [SNMP], etc.).
B. For a remote access server, there is a device (server) that asks for a username and password before entering the network. This is good when accessing private networks, but it can be mapped or scanned from the Internet, creating security exposure.
C. Proxy servers can provide excellent protection, but depending on the type of proxy, they may not be able to examine traffic as effectively as an application gateway. For proxy servers to work, an individual is needed who really knows how to do this, and applications can use different ports for the different sections of the program.
D. Port scanning is used to detect vulnerabilities or open ports on a network, but not when trying to control what comes from the Internet, or when all the ports available need to be controlled. For example, the port for Ping (echo request) could be blocked and the IP addresses would be available for the application and browsing but would not respond to Ping.

Question { 5361 }

An IS auditor is reviewing the change management process for an enterprise resource planning (ERP) application. Which of the following is the BEST method for testing program changes?


A. Select a sample of change tickets and review them for authorization.

B. Perform a walk-through by tracing a program change from start to finish.

C. Trace a sample of modified programs to supporting change tickets.

D. Use query software to analyze all change tickets for missing fields.

Answer

The correct answer is C

A. Selecting a sample of change tickets and reviewing them for authorization helps test for authorization controls; however, it does not identify program changes that were made without supporting change tickets.
B. Performing a walk-through assists the IS auditor in understanding the process, but does not ensure that all changes adhere to the normal process.
C. Tracing a sample of modified programs to supporting change tickets is the best way to test change management controls. This method is most likely to identify instances in which a change was made without supporting documentation.
D. Using query software to analyze all change tickets for missing fields does not identify program changes that were made without supporting change tickets.



Question #: 559 CISA Job Practice Task Statement: 4.8

Question { 6044 }

An IS auditor is reviewing the risk management process. Which of the following is the MOST important consideration during this review?
A. Controls are implemented based on cost-benefit analysis.
B. The risk management framework is based on global standards.
C. The approval process for risk response is in place.
D. IT risk is presented in business terms.

Answer

The correct answer is D.

A. Controls to mitigate risk must be implemented based on cost-benefit analysis; however, the cost-benefit analysis is effective only if risk is presented in business terms.
B. A risk management framework based on global standards helps in ensuring completeness; however, organizations must adapt it to suit specific business requirements.
C. Approvals for risk response come later in the process.
D. In order for risk management to be effective, it is necessary to align IT risk with business objectives. This can be done by adopting acceptable terminology that is understood by all, and the best way to achieve this is to present IT risk in business terms.

Question { 2401 }

The use of residual biometric information to gain unauthorized access is an example of which of the following attacks?
A. Replay
B. Brute force
C. Cryptographic
D. Mimic

Answer

The correct ansqer is A

A. Residual biometric characteristics, such as fingerprints left on a biometric capture device, may be reused by an attacker to gain unauthorized access.
B. A brute force attack involves feeding the biometric capture device numerous different biometric samples.
C. A cryptographic attack targets the algorithm or the encrypted data.
D. In a mimic attack, the attacker reproduces characteristics similar to those of the enrolled user, such as forging a signature or imitating a voice.

Question { 5346 }

Which of the following is the MOST effective type of antivirus software to detect an infected application?
A. Scanners
B. Active monitors
C. Integrity checkers
D. Vaccines

Answer

The correct answer is C

A. Scanners look for sequences of bits called signatures that are typical of virus programs. They examine memory, disk boot sectors, executable files and command files for bit patterns that match a known virus. Therefore, scanners need to be updated periodically to remain effective.
B. Active monitors interpret disk operating system (DOS) and read-only memory (ROM) basic input-output system (BIOS) calls, looking for virus-like actions. Active monitors can be misleading, because they cannot distinguish between a user request and a program or virus request. As a result, users are asked to confirm actions such as formatting a disk or deleting a file or set of files.
C. Integrity checkers compute a binary number on a known virus-free program that is then stored in a database file. This number is called a cyclical redundancy check (CRC). When that program is called to execute, the checker computes the CRC on the program about to be executed and compares it to the number in the database. A match means no infection; a mismatch means that a change in the program has occurred. A change in the program could mean a virus.
D. Vaccines are known to be good antivirus software. However, they need to be updated periodically to remain effective.

Question { 7773 }

Which of the following is the MOST critical element of an effective disaster recovery plan (DRP)?

A. Offsite storage of backup data

B. Up-to-date list of key disaster recovery contacts

C. Availability of a replacement data center

D. Clearly defined recovery time objective (RTO)

Answer

The correct answer is A


A. Remote storage of backups is the most critical disaster recovery plan (DRP) element of the items listed because access to backup data is required to restore systems.

B. Having a list of key contacts is important but not as important as having adequate data backup.

C. A DRP may use a replacement data center or some other solution such as a mobile site, reciprocal agreement or outsourcing agreement.

D. Having a clearly defined recovery time objective (RTO) is especially important for business continuity planning (BCP), but the core element of disaster recovery (the recovery of IT infrastructure and capability) is data backup.

Question { 3482 }

A consulting firm has created a File Transfer Protocol (FTP) site for the purpose of receiving financial data and has communicated the site's address, user ID and password to the financial services company in separate email messages. The company is to transmit its data to the FTP site after manually encrypting the data. The IS auditor's GREATEST concern with this process is that:

A. the users may not remember to manually encrypt the data before transmission.

B. the site credentials were sent to the financial services company via email.

C. personnel at the consulting firm may obtain access to sensitive data.

D. the use of a shared user ID to the FTP site does not allow for user accountability.

Answer

the correct answer is A

A. If the data is not encrypted, an unauthorized external party may download sensitive company data.

B. Even though the possibility exists that the logon information was captured from the emails, data should be encrypted, so the theft of the data would not allow the attacker to read it.

C. Some of the employees at the consulting firm will have access to the sensitive data and the consulting firm must have procedures in place to protect the data.

D. Tracing accountability is of minimal concern compared to the compromise of sensitive data.

Question #: 802 CISA Job Practice Task Statement: 5.3

Question { 5939 }

During a review of a business continuity plan, an IS auditor noticed that the point at which a situation is declared to be a crisis has not been defined. The MAJOR risk associated with this is that:

A. assessment of the situation may be delayed.

B. execution of the disaster recovery plan could be impacted.

C. notification of the teams might not occur.

D. potential crisis recognition might be delayed.

Answer

The correct answer is B

A. Problem and severity assessment would provide information necessary in declaring a disaster, but the lack of a crisis declaration point would not delay the assessment.

B. Execution of the business continuity and disaster recovery plans would be impacted if the organization does not know when to declare a crisis.

C. After a potential crisis is recognized, the teams responsible for crisis management need to be notified. Delaying the declaration of a disaster would impact or negate the effect of having response teams, but this is only one part of the larger impact.

D. Potential crisis recognition is the first step in recognizing or responding to a disaster and would occur prior to the declaration of a disaster.

Question #: 253 CISA Job Practice Task Statement: 2.10

Question { 5351 }

An IS auditor has been assigned to conduct a test that compares job run logs to computer job schedules. Which of the following observations would be of the GREATEST concern to the IS auditor?

A. There are a growing number of emergency changes.

B. There were instances when some jobs were not completed on time.

C. There were instances when some jobs were overridden by computer operators.

D. Evidence shows that only scheduled jobs were run.

Answer

A. Emergency changes are acceptable as long as they are properly documented as part of the process.

B. Instances of jobs not being completed on time is a potential issue and should be investigated, but it is not the greatest concern.

C. The overriding of computer processing jobs by computer operators could lead to unauthorized changes to data or programs. This is a control concern; thus, it is always critical.

D. The audit should find that all scheduled jobs were run and that any exceptions were documented. This would not be a violation.

Question #: 72 CISA Job Practice Task Statement: 1.2

Question { 5068 }

While reviewing an ongoing project, the IS auditor notes that the development team has spent eight hours of activity on the first day against a budget of 24 hours (over three days). The projected time to complete the remainder of the activity is 20 hours. The IS auditor should report that the project:

A. is behind schedule.

B. is ahead of schedule.

C. is on schedule.

D. cannot be evaluated until the activity is completed.

Answer

The correct answer is A

A. Earned value analysis (EVA) is based on the premise that if a project task is assigned 24 hours for completion, it can be reasonably completed during that time frame. According to EVA, the project is behind schedule because the value of the eight hours spent on the task should be only four hours, considering that 20 hours of effort remain to be completed.

B. The project is not ahead of schedule because the work remaining exceeds the time allotted.

C. The project is not on schedule because only 16 hours remain to do 20 hours work.

D. The amount of work left has been evaluated at 20 hours and the time left on the project is 16 hours, so the auditor can evaluate the current status of the project.

Question #: 318 CISA Job Practice Task Statement: 3.4

Question { 6282 }

An IS auditor should use statistical sampling and not judgmental (nonstatistical) sampling, when:

A. the probability of error must be objectively quantified.

B. the auditor wants to avoid sampling risk.

C. generalized audit software is unavailable.

D. the tolerable error rate cannot be determined.

Answer

An IS auditor should use statistical sampling and not judgmental (nonstatistical) sampling, when:

Correct A.
the probability of error must be objectively quantified.

B.
the auditor wants to avoid sampling risk.

C.
generalized audit software is unavailable.

D.
the tolerable error rate cannot be determined.

You are correct, the answer is A.

A. Given an expected error rate and confidence level, statistical sampling is an objective method of sampling, which helps an IS auditor determine the sample size and quantify the probability of error (confidence coefficient).

B. Sampling risk is the risk of a sample not being representative of the population. This risk exists for both judgment and statistical samples.

C. Statistical sampling can use generalized audit software, but it is not required.

D. The tolerable error rate must be predetermined for both judgment and statistical sampling.

Question #: 29 CISA Job Practice Task Statement: 1.2

Question { 2182 }

The MAIN reason for requiring that all computer clocks across an organization be synchronized is to:

A. prevent omission or duplication of transactions.

B. ensure smooth data transition from client machines to servers.

C. ensure that email messages have accurate time stamps.

D. support the incident investigation process.

Answer

The correct answer is D

A. The possibility of omission or duplication of transactions will not happen due to lack of clock synchronization.

B. Data transfer has nothing to do with the time stamp.

C. While the time stamp on an email may not be accurate, this is not a significant issue.

D. During an investigation of incidents, audit logs are used as evidence, and the time stamp information in them is useful. If the clocks are not synchronized, investigations will be more difficult because a time line of events occurring on different systems might not be easily established.

Question { 7346 }

During an IS audit of the disaster recovery plan (DRP) of a global enterprise, the auditor observes that some remote offices have very limited local IT resources. Which of the following observations would be the MOST critical for the IS auditor?

A. A test has not been made to ensure that local resources could maintain security and service standards when recovering from a disaster or incident.

B. The corporate business continuity plan (BCP) does not accurately document the systems that exist at remote offices.

C. Corporate security measures have not been incorporated into the test plan.

D. A test has not been made to ensure that tape backups from the remote offices are usable.

Answer

the answer is A.

A. Regardless of the capability of local IT resources, the most critical risk would be the lack of testing, which would identify quality issues in the recovery process.

B. The corporate business continuity plan (BCP) may not include disaster recovery plan (DRP) details for remote offices. It is important to ensure that the local plans have been tested.

C. Security is an important issue because many controls may be missing during a disaster. However, not having a tested plan is more important.

D. The backups cannot be trusted until they have been tested. However, this should be done as part of the overall tests of the DRP.

Question { 2550 }

When reviewing the IT strategic planning process, an IS auditor should ensure that the plan:

A. incorporates state of the art technology.

B. addresses the required operational controls.

C. articulates the IT mission and vision.

D. specifies project management practices.

Answer

The correct answer is C.

A. The plan does not need to address state of the art technology; the decision to implement new technology is dependent on the approach to risk and management strategy.

B. The plan does not need to address operational controls because those are too granular for strategic planning.

C. The IT strategic plan must include a clear articulation of the IT mission and vision.

D. The plan should be implemented with proper project management, but the plan does not need to address project management practices.

Question #: 147 CISA Job Practice Task Statement: 2.1

Question { 2693 }

An IS auditor is reviewing a project that is using an agile software development approach. Which of the following should the IS auditor expect to find?

A. Use of a capability maturity model (CMM)

B. Regular monitoring of task-level progress against schedule

C. Extensive use of software development tools to maximize team productivity

D. Postiteration reviews that identify lessons learned for future use in the project

Answer

the answer is D.

A. The capability maturity model (CMM) places heavy emphasis on predefined formal processes and formal project management and software development deliverables, while agile software development projects, by contrast, rely on refinement of process as dictated by the particular needs of the project and team dynamics.

B. Task-level tracking is not used because daily meetings identify challenges and impediments to the project.

C. Agile projects make use of suitable development tools; however, tools are not seen as the primary means of achieving productivity. Team harmony, effective communications and collective ability to solve challenges are of greater importance.

D. A key tenet of the agile approach to software project management is ongoing team learning to refine project management and software development processes as the project progresses. One of the best ways to achieve this is that the team considers and documents what worked well and what could have worked better at the end of each iteration and identifies improvements to be implemented in subsequent iterations. Additionally, less importance is placed on formal paper-based deliverables, with the preference being effective informal communication within the team and with key outside contributors. Agile projects produce releasable software in short iterations, typically ranging from four to eight weeks. This, in itself, instills considerable performance discipline within the team. This, combined with short daily meetings to agree on what the team is doing and the identification of any impediments, renders task-level tracking against a schedule redundant.

Question #: 424 CISA Job Practice Task Statement: 3.5